WireGuard: DNS servers are implicitly routed through the VPN

[keeshux]

Differently from v2, v3 adds manual routes to the DNS servers to the VPN settings. Beyond being unintended, this also breaks connectivity because WireGuard requires included routes to be present in AllowedIPs.

Reported here: https://www.reddit.com/r/passepartout/comments/1isz8xo/wg_config_with_registered_allowed_ip_does_not_work/

[keeshux]

Removing the implicit routes is not enough. matchDomains = [""] is behaving differently in Passepartout and WireGuard as in Passepartout it's causing the DNS servers to be routed through the VPN no matter what.

As absurd as it sounds, this is caused by calling setTunnelNetworkSettings(nil) when the tunnel is started, to later call it with the actual settings. Dropping that call resolves the discrepancy.

[keeshux]

The manual routes to DNS servers was introduced here:

#73
passepartoutvpn/tunnelkit@f799f47

Doubts:

• If the DNS server is a private address inside the VPN, it should be reachable without a specific route
• If the DNS server is a public address, and is pushed by the server, shouldn't the server push the route if it wants it to be routed through the VPN? The client doesn't know if the VPN is able to forward traffic to the Internet
• If the DNS server is set by the client, then maybe it could make sense to add such routes to enforce routing through the VPN, yet it shouldn't be necessary

Check out OpenVPN source.